Search in sources :

Example 1 with OwnerResolver

use of com.evolveum.midpoint.security.api.OwnerResolver in project midpoint by Evolveum.

the class ChangeExecutor method executeAddition.

private <T extends ObjectType, F extends ObjectType> void executeAddition(ObjectDelta<T> change, final LensContext<F> context, LensElementContext<T> objectContext, ModelExecuteOptions options, ResourceType resource, Task task, OperationResult result) throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
    PrismObject<T> objectToAdd = change.getObjectToAdd();
    if (change.getModifications() != null) {
        for (ItemDelta delta : change.getModifications()) {
            delta.applyTo(objectToAdd);
        }
        change.getModifications().clear();
    }
    OwnerResolver ownerResolver = createOwnerResolver(context, task, result);
    try {
        securityEnforcer.authorize(ModelAuthorizationAction.ADD.getUrl(), AuthorizationPhaseType.EXECUTION, objectToAdd, null, null, ownerResolver, result);
        T objectTypeToAdd = objectToAdd.asObjectable();
        metadataManager.applyMetadataAdd(context, objectToAdd, clock.currentTimeXMLGregorianCalendar(), task, result);
        if (options == null && context != null) {
            options = context.getOptions();
        }
        String oid;
        if (objectTypeToAdd instanceof TaskType) {
            oid = addTask((TaskType) objectTypeToAdd, result);
        } else if (objectTypeToAdd instanceof NodeType) {
            throw new UnsupportedOperationException("NodeType cannot be added using model interface");
        } else if (ObjectTypes.isManagedByProvisioning(objectTypeToAdd)) {
            ProvisioningOperationOptions provisioningOptions = getProvisioningOptions(context, options);
            oid = addProvisioningObject(objectToAdd, context, objectContext, provisioningOptions, resource, task, result);
            if (oid == null) {
                throw new SystemException("Provisioning addObject returned null OID while adding " + objectToAdd);
            }
            result.addReturn("createdAccountOid", oid);
        } else {
            FocusConstraintsChecker.clearCacheFor(objectToAdd.asObjectable().getName());
            RepoAddOptions addOpt = new RepoAddOptions();
            if (ModelExecuteOptions.isOverwrite(options)) {
                addOpt.setOverwrite(true);
            }
            if (ModelExecuteOptions.isNoCrypt(options)) {
                addOpt.setAllowUnencryptedValues(true);
            }
            oid = cacheRepositoryService.addObject(objectToAdd, addOpt, result);
            if (oid == null) {
                throw new SystemException("Repository addObject returned null OID while adding " + objectToAdd);
            }
        }
        change.setOid(oid);
        task.recordObjectActionExecuted(objectToAdd, objectToAdd.getCompileTimeClass(), oid, ChangeType.ADD, context.getChannel(), null);
    } catch (Throwable t) {
        task.recordObjectActionExecuted(objectToAdd, objectToAdd.getCompileTimeClass(), null, ChangeType.ADD, context.getChannel(), t);
        throw t;
    }
}
Also used : OwnerResolver(com.evolveum.midpoint.security.api.OwnerResolver) ProvisioningOperationOptions(com.evolveum.midpoint.provisioning.api.ProvisioningOperationOptions) ItemDelta(com.evolveum.midpoint.prism.delta.ItemDelta) RepoAddOptions(com.evolveum.midpoint.repo.api.RepoAddOptions)

Example 2 with OwnerResolver

use of com.evolveum.midpoint.security.api.OwnerResolver in project midpoint by Evolveum.

the class ChangeExecutor method executeDeletion.

private <T extends ObjectType, F extends ObjectType> void executeDeletion(ObjectDelta<T> change, LensContext<F> context, LensElementContext<T> objectContext, ModelExecuteOptions options, ResourceType resource, Task task, OperationResult result) throws ObjectNotFoundException, ObjectAlreadyExistsException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
    String oid = change.getOid();
    Class<T> objectTypeClass = change.getObjectTypeClass();
    PrismObject<T> objectOld = objectContext.getObjectOld();
    OwnerResolver ownerResolver = createOwnerResolver(context, task, result);
    try {
        securityEnforcer.authorize(ModelAuthorizationAction.DELETE.getUrl(), AuthorizationPhaseType.EXECUTION, objectOld, null, null, ownerResolver, result);
        if (TaskType.class.isAssignableFrom(objectTypeClass)) {
            taskManager.deleteTask(oid, result);
        } else if (NodeType.class.isAssignableFrom(objectTypeClass)) {
            taskManager.deleteNode(oid, result);
        } else if (ObjectTypes.isClassManagedByProvisioning(objectTypeClass)) {
            ProvisioningOperationOptions provisioningOptions = getProvisioningOptions(context, options);
            try {
                deleteProvisioningObject(objectTypeClass, oid, context, objectContext, provisioningOptions, resource, task, result);
            } catch (ObjectNotFoundException e) {
                // Object that we wanted to delete is already gone. This can
                // happen in some race conditions.
                // As the resulting state is the same as we wanted it to be
                // we will not complain and we will go on.
                LOGGER.trace("Attempt to delete object {} ({}) that is already gone", oid, objectTypeClass);
                result.muteLastSubresultError();
            }
        } else {
            try {
                cacheRepositoryService.deleteObject(objectTypeClass, oid, result);
            } catch (ObjectNotFoundException e) {
                // Object that we wanted to delete is already gone. This can
                // happen in some race conditions.
                // As the resulting state is the same as we wanted it to be
                // we will not complain and we will go on.
                LOGGER.trace("Attempt to delete object {} ({}) that is already gone", oid, objectTypeClass);
                result.muteLastSubresultError();
            }
        }
        task.recordObjectActionExecuted(objectOld, objectTypeClass, oid, ChangeType.DELETE, context.getChannel(), null);
    } catch (Throwable t) {
        task.recordObjectActionExecuted(objectOld, objectTypeClass, oid, ChangeType.DELETE, context.getChannel(), t);
        throw t;
    }
}
Also used : OwnerResolver(com.evolveum.midpoint.security.api.OwnerResolver) ProvisioningOperationOptions(com.evolveum.midpoint.provisioning.api.ProvisioningOperationOptions)

Example 3 with OwnerResolver

use of com.evolveum.midpoint.security.api.OwnerResolver in project midpoint by Evolveum.

the class ChangeExecutor method executeModification.

private <T extends ObjectType, F extends ObjectType> void executeModification(ObjectDelta<T> change, LensContext<F> context, LensElementContext<T> objectContext, ModelExecuteOptions options, ResourceType resource, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
    Class<T> objectTypeClass = change.getObjectTypeClass();
    PrismObject<T> objectNew = objectContext.getObjectNew();
    OwnerResolver ownerResolver = createOwnerResolver(context, task, result);
    try {
        securityEnforcer.authorize(ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.EXECUTION, objectNew, change, null, ownerResolver, result);
        metadataManager.applyMetadataModify(change, objectContext, objectTypeClass, clock.currentTimeXMLGregorianCalendar(), task, context, result);
        if (change.isEmpty()) {
            // Nothing to do
            return;
        }
        if (TaskType.class.isAssignableFrom(objectTypeClass)) {
            taskManager.modifyTask(change.getOid(), change.getModifications(), result);
        } else if (NodeType.class.isAssignableFrom(objectTypeClass)) {
            throw new UnsupportedOperationException("NodeType is not modifiable using model interface");
        } else if (ObjectTypes.isClassManagedByProvisioning(objectTypeClass)) {
            ProvisioningOperationOptions provisioningOptions = getProvisioningOptions(context, options);
            String oid = modifyProvisioningObject(objectTypeClass, change.getOid(), change.getModifications(), context, objectContext, provisioningOptions, resource, task, result);
            if (!oid.equals(change.getOid())) {
                change.setOid(oid);
            }
        } else {
            FocusConstraintsChecker.clearCacheForDelta(change.getModifications());
            cacheRepositoryService.modifyObject(objectTypeClass, change.getOid(), change.getModifications(), result);
        }
        task.recordObjectActionExecuted(objectNew, objectTypeClass, change.getOid(), ChangeType.MODIFY, context.getChannel(), null);
    } catch (Throwable t) {
        task.recordObjectActionExecuted(objectNew, objectTypeClass, change.getOid(), ChangeType.MODIFY, context.getChannel(), t);
        throw t;
    }
}
Also used : OwnerResolver(com.evolveum.midpoint.security.api.OwnerResolver) ProvisioningOperationOptions(com.evolveum.midpoint.provisioning.api.ProvisioningOperationOptions)

Example 4 with OwnerResolver

use of com.evolveum.midpoint.security.api.OwnerResolver in project midpoint by Evolveum.

the class Clockwork method authorizeContextRequest.

private <F extends ObjectType> void authorizeContextRequest(LensContext<F> context, Task task, OperationResult parentResult) throws SecurityViolationException, SchemaException {
    OperationResult result = parentResult.createMinorSubresult(Clockwork.class.getName() + ".authorizeRequest");
    try {
        final LensFocusContext<F> focusContext = context.getFocusContext();
        OwnerResolver ownerResolver = new LensOwnerResolver<>(context, objectResolver, task, result);
        if (focusContext != null) {
            authorizeElementContext(context, focusContext, ownerResolver, true, task, result);
        }
        for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
            authorizeElementContext(context, projectionContext, ownerResolver, false, task, result);
        }
        context.setRequestAuthorized(true);
        result.recordSuccess();
    } catch (SecurityViolationException | SchemaException | RuntimeException | Error e) {
        result.recordFatalError(e);
        throw e;
    }
}
Also used : SchemaException(com.evolveum.midpoint.util.exception.SchemaException) SecurityViolationException(com.evolveum.midpoint.util.exception.SecurityViolationException) OwnerResolver(com.evolveum.midpoint.security.api.OwnerResolver) OperationResult(com.evolveum.midpoint.schema.result.OperationResult)

Aggregations

OwnerResolver (com.evolveum.midpoint.security.api.OwnerResolver)4 ProvisioningOperationOptions (com.evolveum.midpoint.provisioning.api.ProvisioningOperationOptions)3 ItemDelta (com.evolveum.midpoint.prism.delta.ItemDelta)1 RepoAddOptions (com.evolveum.midpoint.repo.api.RepoAddOptions)1 OperationResult (com.evolveum.midpoint.schema.result.OperationResult)1 SchemaException (com.evolveum.midpoint.util.exception.SchemaException)1 SecurityViolationException (com.evolveum.midpoint.util.exception.SecurityViolationException)1